697XX

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 8 Public-Key Cryptosystems B...

Author: Gordon McBride

3 downloads 0 Views 131KB Size

Report

Download PDF

Recommend Documents

No documents

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Introduction to Cryptography ECE 597XX/697XX Part 8

Public-Key Cryptosystems Based on the Discrete Logarithm Problem Israel Koren

ECE597/697 Koren Part.8 .1

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Content of this Chapter Diffie–Hellman Key Exchange The Discrete Logarithm Problem Security of the Diffie–Hellman Key Exchange The ElGamal Encryption Scheme

ECE597/697 Koren Part.8 .2

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Page 1

Diffie–Hellman Key Exchange: Overview Proposed in 1976 by Diffie and Hellman Widely used, e.g. in Secure Shell (SSH), Transport Layer Security (TLS), and Internet Protocol Security (IPSec) The Diffie–Hellman Key Exchange (DHKE) is a key exchange protocol and not used for encryption (For the purpose of encryption based on the DHKE, ElGamal can be used.) Setup: 1. Choose a large prime p. 2. Choose an integer α {2,3, . . . , p−2}. 3. Publish p and α.

∈

ECE597/697 Koren Part.8 .3

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Diffie–Hellman Key Exchange Bob

Alice Choose random private key kprA= a {1,2,…,p-1}

Choose random private key kprB= b {1,2,…,p-1}

∈

∈

Compute corresponding public key kpubA= A = αa mod p

A B

Compute common secret kAB = Ba = (αa)b mod p

Compute correspondig public key kpubB= B = αb mod p Compute common secret kAB = Ab = (αb)a mod p

(αa)b = (αb)a mod p We can now use the joint key kAB for encryption, e.g., with AES y = AESkAB(x) ECE597/697 Koren Part.8 .4

y

x = AES-1kAB(y)

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Page 2

Diffie–Hellman Key Exchange: Example Domain parameters p=29, α=2

Bob

Alice Choose random private key kprA= a = 5 Compute corresponding public key kpubA= A = 25 = 3 mod 29

Choose random private key kprB=b = 12 A=3 B=7

Compute common secret kAB = Ba = 75 = 16 mod 29

Compute correspondig public key kpubB= B = 212 = 7 mod 29 Compute common secret kAB = Ab = 312 = 16 mod 29

Alice and Bob compute the same key kAB p is large so kAB is large too Use the 128 MSBs (for AES) or hash to 128 bits ECE597/697 Koren Part.8 .5

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

The Discrete Logarithm (DLP) Problem in Zp* Given: finite cyclic group Zp* of order p−1 and a primitive element α Zp* and another element β Zp*. The DLP is the problem of determining the integer 1 ≤ x ≤ p−1 such that αx ≡ β mod p DLP: find x = logα β mod p Example: Compute x for 5x ≡ 41 mod 47

∈

∈

• 546 ≡ 1 mod 47 • Ord(5)=46 • 1246 ≡ 1 mod 47 • Ord(12)=46

ECE597/697 Koren Part.8 .6

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Page 3

Cyclic groups and primitive elements * The group Zp* ={0,1,...,p-1} for p prime is commutative under multiplication mod p * The order of an element α, ord(α α), of a group with the operation ° is the smallest integer k such that αk = α◦ α◦...◦ α= 1 mod p k times

• Example: a=3 in Z11* • Ord(3)=5

• The cardinality |G| of the group G=Zp* is the number of elements in G such that gcd(i,p)=1, i.e., |G|=Φ Φ(p)=p-1 • A group G that contains an element α such that ord(α α)=|G| (cardinality of G) is called cyclic; such α is called a primitive element (or generator) of G • Example: a=2 in Z11* • Ord(2)=10 • All elements of Z11* are generated ECE597/697 Koren Part.8 .7

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Cyclic groups and primitive elements • For every element a in a cyclic group G, ord(a) divides |G| and a|G|=1 • Example: Z11* • The number of primitive elements in G is Φ(|G|) • Example: for Z11* Φ(10)=(5-1)(2-1)=4 • If |G| is prime all elements a ≠ 1 are primitive

ECE597/697 Koren Part.8 .8

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Page 4

The Generalized Discrete Logarithm Problem Given a finite cyclic group G with the operation ◦ and G and cardinality p-1, consider a primitive element α another element β G. The discrete logarithm problem is finding the integer x, where 1 ≤ x ≤ p-1, such that: β = α ◦ α ◦ ...◦ α = αx mod p

∈

∈

x times

Two discrete logarithm problems are used in cryptography 1. The multiplicative group of the prime field Zp or a subgroup of it, e.g., the classical DHKE, ElGamal encryption and the Digital Signature Algorithm (DSA). 2. The cyclic group formed by an elliptic curve (see Chapter 9) ECE597/697 Koren Part.8 .9

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Attacks against the Discrete Logarithm Security of many asymmetric primitives is based on the difficulty of computing the DLP in cyclic groups, i.e., Compute x for a given α and β such that β = α◦ α◦ ...◦ α = αx The following algorithms for computing discrete logarithms exist

•Generic algorithms: Work for any cyclic group − Brute-Force Search − Shanks‘ Baby-Step-Giant-Step Method − Pollard‘s Rho Method - Pohlig-Hellman Method

•Non-generic Algorithms: Work only for specific groups, in particular in Zp: The Index Calculus Method

Elliptic curves can only be attacked with generic algorithms which are weaker than non-generic algorithms. Hence, elliptic curves are secure with shorter key lengths than the DLP in prime fields Zp ECE597/697 Koren Part.8 .10

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Page 5

Attacks against the Discrete Logarithm Problem Summary of records for computing discrete logarithms in Zp* Decimal digits

Bit length

Date

58

193

1991

68

216

1996

85

282

1998

100

332

1999

120

399

2001

135

448

2006

160

532

2007

To prevent attacks that compute the DLP, it is recommended to use primes with a length of at least 1024 bits for schemes such as Diffie-Hellman in Zp* ECE597/697 Koren Part.8 .11

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Security of the classical DH Key Exchange

Which information does Oscar have?

•

α, p

• •

kpubA = A = αa mod p kpubB = B = αb mod p

Which information does Oscar want to have?

• •

kAB = αba = αab mod p This is known as Diffie-Hellman Problem (DHP)

The only known way to solve the DHP is to solve the DLP, i.e.

1. Compute a = logα A mod p 2. Compute kAB = Ba = αba mod p It is conjectured that the DHP and the DLP are equivalent, i.e., solving DHP implies solving DLP

To prevent attacks, i.e., to prevent that the DLP can be solved, choose p > 21024

ECE597/697 Koren Part.8 .12

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Page 6

The ElGamal Encryption Scheme: Principle Proposed by ElGamal in 1985 - can be viewed as an extension of the DHKE protocol Based on the intractability of the discrete logarithm and the Diffie–Hellman problems Select p and α Bob Alice

choose i = kprA

∈ {2,…,p-2}

compute ephemeral key kE = kpubA= αi mod p compute kM =

βi

β

choose d = kprB

∈ {2,…,p-2}

compute β = kpubB= αd mod p kE compute kM = kEd mod p

mod p

encrypt message x y = x·kM mod p

∈Z * p

y decrypt x = y·kM-1 mod p

ECE597/697 Koren Part.8 .13

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

The ElGamal Encryption Protocol Bob

Alice

choose i = kprA

∈

choose large prime p choose primitive element α Z p* {2,…,p-2} {2,…,p-2} kpubB = (p, α, β) choose d = kprB compute β = kpubB= αd mod p = αi mod p

∈

∈

compute kE = kpubA

compute masking key kM = βi mod p encrypt message x y = x·kM mod p

∈Z * p

(kE, y)

compute masking key kM = kEd mod p decrypt x = y·kM-1 mod p

The ElGamal protocol re-orders the computations to save one communication ECE597/697 Koren Part.8 .14

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Page 7

The ElGamal Protocol - Example Bob

Alice Message x=12

p=31; primitive element α=3 choose d = kprB = 5 β = kpubB= αd = 35 = 26 mod 31 kpubB = (31,3,26)

choose i = kprA = 2 kE = kpubA= 32 = 9 mod 31

masking key kM = 262 = 25 mod 31 encrypt x=12: y = 12·25 mod 31 = 21 mod 31

(9,21)

gcd(31,25)=gcd(25,6)=gcd(6,1)=1 6=31·1-25·1; {25 = 6·4+1 = 31·4 - 25·4+1} ⇒ 1=25·5 - 31·4 ⇒ 25-1 = 5 mod 31 ECE597/697 Koren Part.8 .15

masking key kM = 95 = 25 mod 31 decrypt x = y·kM-1 mod p =21·25-1 mod 31 = 21·5 = 12 mod 31

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Computational Aspects Key Generation •Generation of prime p: has to have at least 1024 bits Encryption •Requires two modular exponentiations and a modular multiplication •All operands have a bit length of log2 p •Efficient execution requires methods such as the square-and-multiply algorithm Decryption •Requires one modular exponentiation and one inversion • Inversion can be computed from the ephemeral key: kM-1 mod p = (kEd)-1 mod p = (kEd)-1kEp-1 mod p = kEp-d-1 mod p (Since kEp-1 = 1 mod p according to Fermat‘s little theorem) Example: for kE =9, kEp-d-1 mod p = 931-5-1 = 925 mod 31= 5 mod 31 ECE597/697 Koren Part.8 .16

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Page 8

Security Passive attacks •Attacker eavesdrops p, α, β = αd , kE = αi, y = x· βi and wants to recover x •Problem relies on the DLP Active attacks •If the public keys are not authenticated, an attacker could send an incorrect public key (cf. Chapter 13) •An Attack is also possible if the secret exponent i is being used more than once (if you know/guess 1st message you can decrypt the 2nd) •ElGammal protocol is malleable: Oscar can replace (kE, y) by (kE, s·y) and the receiver would get s·x

ECE597/697 Koren Part.8 .17

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Lessons Learned The Diffie–Hellman protocol is widely used for key exchange. The discrete logarithm problem is one of the most important one-way functions in modern asymmetric cryptography. Many public-key algorithms are based on it. For the Diffie–Hellman protocol in Zp*, the prime p should be at least 1024 bits long. This provides a security roughly equivalent to an 80-bit symmetric cipher. For a better long-term security, a prime of length 2048 bits should be chosen. The ElGamal scheme is an extension of the DHKE where the derived session key is used as a multiplicative mask to encrypt a message. ElGamal is a probabilistic encryption scheme, i.e., encrypting two identical messages does not yield identical ciphertexts.

ECE597/697 Koren Part.8 .18

Adapted from Paar & Pelzl, “Understanding Cryptography,” and other sources

Page 9